-
Notifications
You must be signed in to change notification settings - Fork 206
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(backend-core,clerk-sdk-node,edge): Add support to verify azp ses…
…sion token claim Add support on VerifyToken and across package middlewares to verify the azp claim of the session token against a supplied whitelist of authorized parties
- Loading branch information
1 parent
793bdb8
commit eab1c8c
Showing
9 changed files
with
188 additions
and
16 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,87 @@ | ||
import { checkClaims } from '../../util/jwt'; | ||
import { JWTPayload } from '../../util/types'; | ||
|
||
test('check jwt claims with no issuer', () => { | ||
const dummyClaims: JWTPayload = { | ||
sub: 'subject', | ||
exp: 1643374283, | ||
} | ||
|
||
expect(() => checkClaims(dummyClaims)).toThrow(`Issuer is invalid: ${dummyClaims.iss}`) | ||
}) | ||
|
||
test('check jwt claims with invalid issuer', () => { | ||
const dummyClaims: JWTPayload = { | ||
sub: 'subject', | ||
exp: 1643374283, | ||
iss: 'invalid-issuer', | ||
} | ||
|
||
expect(() => checkClaims(dummyClaims)).toThrow(`Issuer is invalid: ${dummyClaims.iss}`) | ||
}) | ||
|
||
test('check jwt claims with valid issuer', () => { | ||
const dummyClaims: JWTPayload = { | ||
sub: 'subject', | ||
exp: 1643374283, | ||
iss: 'https://clerk.happy.path', | ||
} | ||
|
||
expect(() => checkClaims(dummyClaims)).not.toThrow() | ||
}) | ||
|
||
test('check jwt claims with invalid azp', () => { | ||
const dummyClaims: JWTPayload = { | ||
sub: 'subject', | ||
exp: 1643374283, | ||
iss: 'https://clerk.happy.path', | ||
azp: 'invalid-azp', | ||
} | ||
const authorizedParties: string[] = ['valid-azp', 'another-valid-azp'] | ||
|
||
expect(() => checkClaims(dummyClaims, authorizedParties)).toThrow(`Authorized party is invalid: ${dummyClaims.azp}`) | ||
}) | ||
|
||
test('check jwt claims with no azp and no authorized parties', () => { | ||
const dummyClaims: JWTPayload = { | ||
sub: 'subject', | ||
exp: 1643374283, | ||
iss: 'https://clerk.happy.path', | ||
} | ||
|
||
expect(() => checkClaims(dummyClaims)).not.toThrow() | ||
}) | ||
|
||
test('check jwt claims with no azp and provided authorized parties', () => { | ||
const dummyClaims: JWTPayload = { | ||
sub: 'subject', | ||
exp: 1643374283, | ||
iss: 'https://clerk.happy.path', | ||
} | ||
const authorizedParties: string[] = ['valid-azp', 'another-valid-azp'] | ||
|
||
expect(() => checkClaims(dummyClaims, authorizedParties)).not.toThrow() | ||
}) | ||
|
||
test('check jwt claims with azp and no authorized parties', () => { | ||
const dummyClaims: JWTPayload = { | ||
sub: 'subject', | ||
exp: 1643374283, | ||
iss: 'https://clerk.happy.path', | ||
azp: 'random-azp', | ||
} | ||
|
||
expect(() => checkClaims(dummyClaims)).not.toThrow() | ||
}) | ||
|
||
test('check jwt claims with no azp and provided authorized parties', () => { | ||
const dummyClaims: JWTPayload = { | ||
sub: 'subject', | ||
exp: 1643374283, | ||
iss: 'https://clerk.happy.path', | ||
azp: 'valid-azp', | ||
} | ||
const authorizedParties: string[] = ['a-valid-azp', 'valid-azp', 'another-valid-azp'] | ||
|
||
expect(() => checkClaims(dummyClaims, authorizedParties)).not.toThrow() | ||
}) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters